If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

HELP: Orphan domain into new forest?

29th March 2007, 13:50

Ok, I'll try this again since I didn't get any responses.

I have a Windows 2000 domain (abc.net) which was migrated from NT and joined a Windows 2000 enterprise (xyz.com). "abc.net" is widely recognized by the public but is no longer associated with xyz.com (although there will be trusts between them).

I need to move abc.net into its own forest, keeping the abc.net name and severing the ties to xyz.com.

Is this possible? Practical? Can I do it with some combination of migrations and domain renames.

All that I say below will apply if abc.net was a child domain of forest xyz.net. (i.e. abc.xyz.net). If it was not, then none of the below applies and there is no reason that the dissociation should not take place.

You will need to destroy the domain and start again with a new "abc.net" as far as I can tell. I believe that "Swing Migration" will assist in moving user accounts etc from the old domain into the new one - but with the domain name being the same I'm not sure whether there will be any additional implications to consider.

To achieve this you will first have to build a domain controller for the new abc.net which is ISOLATED (network wise) from the old abc.net.

Tom
For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.
Anything you say will be misquoted and used against you

Comment

Well, the NT 4.0 domain abc.net existed on its own for awhile. Then the parent "organization" created an "Enterprise" xyz.com and "forced" the abc.net domain to join. Then, the whole lot was migrated in to AD 2000 with a common global address list and with the Enterprise security SID residing in the xyz.com "forest" but abc.net controlling its own users, etc. There are also public folders shared between the two (which will be re-established, as necessary, with trusts). In terms of IP domains, abc.net was never a child of xyz.com.

What happened to change the entire setup is that Microsoft was not particularly forthcoming in early publications of the AD 2003 security best practices and didn't bother to correct the impression that domains would continue to be security boundaries in AD 2003. In fact, this responsibility has shifted to forests.

abc.net can be thought of as a separate business organization with a common board of directors but legally distinct. The need to separate it completely is driven by the need to protect patient information since the "parent" (xyz.com) is a conglomerate and not in that business, per se.

What I need to ensure is that SIDs from the old enterprise are not replicated to the new domain since this would create security problems.

Thanks for your help!

Comment

With your SID history requirements I would create the new domain. Anything else would not achieve this very basic requirement. Also, I'm not sure if Swing Migration carries the original SIDs over, or simply copies the user information into the new domain. If the migration carries the SID, you will have to re-create all the user accounts too.

Don't forget that with your requirement for new SIDs, you will have to manually set up permissions to resources for the new user accounts.

Tom
For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.
Anything you say will be misquoted and used against you

Comment

The only SIDs I don't want to migrate are those with Forest/Enterprise permissions however, to be on the safe side, perhaps it would be better to recreate everything since there are health privacy issues driving this.